In this article we start to look at the best approach to PCI DSS (Payment Card Industry Data Security Standard) for those new to the standard, in particular the fact that there is no need to panic. A pragmatic step by step approach is better than "trying to boil the ocean".
This blog forms the 1st of a series of articles that will address a wide range of subjects relating to the PCI DSS (Payment Card Industry Data Security Standard). This initial items in the series will be aimed at people new to the standard covering various subjects related to technology, processes and the all important people aspects of gaining and maintaining compliance.
The first and most important thing to say is you don’t need to panic, becoming compliant should be regarded as a process and it’s certainly one where a considered and steady approach makes far more sense than trying to ‘boil the ocean’. To many times we see suppliers with a vested interest ’scaremongering’ about the possible impact of non-compliance when many customers are already a fair way towards becoming compliant to the PCI DSS and in reality already run secure environments.
The PCI DSS is simply a good set of data security guidelines that will help you to secure your customers credit and debit card information whilst protecting your brand from the damage a security breach would cause.
The good news is that this is a well trodden path and there is a wealth of information and expertise out there waiting to be tapped, in additional to this the technology elements of the process have become less expensive, better proven and easier to manage.
Step 1 – Research
There are a number of excellent resources out there which help with getting a clear understanding of the process:
I’d certainly recommend spending some time using these resources (and of course reading future installments of this blog!) before spending money with an “expert”.
If you do have any specific questions my contact details are shown at the bottom of the blog and I’d be more than happy to help where I can.
Step 2 – Initial review
The next step is to do an initial review, remember this is just for your own use so don’t get hung-up on the exact details you are just trying to get a feel for where you stand.
You can download a great spreadsheet from here that will allow you to start getting a feel for when you are with PCI DSS. Simply starting to complete it will give you a running score of your progress towards compliance (see the example graph below).
Again don’t worry at this stage if you don’t understand everything and don’t be put off by the spreadsheet (it’s far simpler than in looks), it’ll give you an idea of the areas you need to research further and/or where you may need help from other people from within or outside your business.
Make sure to look at all the tabs:
Especially the graphs that will show you how much progress you are making against each of the areas:
Step 3 – Plan
Once you completed step 2 you’ll be able to start thinking about an initial plan, once again really this is just for you so its important that you are honest about what needs to be done.
At this stage unless your initial review has highlighted something catastrophic (which it’s highly unlikely it will have) again take a pragmatic slow and steady approach.
My suggestion would be to break the plan down as follows:
- Things I could do simply and cheaply now
- Things someone else within the business could do cheaply and simply now
These two steps will give you your initial ‘quick wins’.
- Areas where more information is needed
- Items that need further research
- Elements where outside assistance is likely to be required
Again if you have any questions in relation to these areas or would like some suggestions on external resources then get in contact.
Step 4 – Start getting buy in
This is an essential and often overlooked part of the process. All to often the task of looking at PCI DSS falls on one individual in a single department and its something the entire business needs to buy into.
We find the most successful implementations happen in organisations where there is broads buy in from the start. Start talking with key people within:
- The contact centre (if you have one)
Also if you can get some board level sponsorship for the concept, it’s essential to have at least the Finance Director bought into the idea and with so much of the standard relating to IT security it’s important to have IT support for the project.
That’s the end of my initial overview of PCI compliance, future editions will get far more specific about key areas of technology, risk management, process and managing a PCI project.
If however you can start by following the process detailed above you’ll find many of the later steps will be far simpler and cheaper to implement.
About the author
Matt Keen is a published information security expert specialising in compliance and specifically PCI DSS. As a Director of Celuis Network Systems one of the worlds leading specialists in the field he spends his day working with companies on their security and compliance requirements and his evenings trying to become a better cyclist! For more information please visit www.celuis.com or Matt Keen’s Brandyourself.com profile. Please contact Matt at firstname.lastname@example.org if you have any questions.